'Root' & The New Age Of IoT-Based DDoS Attacks

Last Friday's massive DDoS that exploited online cameras and DVRs was simple to pull off -- and a new chapter in online attacks.

The distributed denial-of-service (DDoS) attack last Friday via an army of infected webcams, DVRs, and other systems, that crippled a large chunk of the Internet's domain name system (DNS) served as a wake-up call after years of research and warning about vulnerable consumer and embedded devices.

It also led to a rare mea culpa by a consumer networked-device manufacturer: Hangzhou Xiongmai Technology Co Ltd, the Chinese maker of electronics for some of the surveillance cameras hijacked by the so-called Mirai botnet used in the attack against DNS provider Dyn, reportedly said it will recall some of its affected products. The firm plans to ratchet up authentication as well as patch devices manufactured prior to April 2015, according to a Reuters report.

Even so, a recall is far from the solution to cleaning up the botnet pollution, especially in the Internet of Things space, security experts say.

"The trouble with hardware that has been hijacked for Mirai is that the devices are 'white label' goods, produced by an unbranded manufacturer for third-party companies," Sophos' principal research scientist Chester Wisniewski said in a blog post today. "The Chinese company that made the hijacked devices, XiongMai, almost certainly has no way of knowing which companies have rebranded and sold its insecure cameras, and thus who the end users are. That makes it pretty much impossible to recall them."

IoT devices—everything from home routers to webcams and smart fridges—are well-known easy security targets. Aside from the "white label" component issue, most of them come with default authentication and no security features. The bot-infected army of IoT devices pummeled Dyn and crippled major websites such as Okta, Pinterest, Reddit, and Twitter, last Friday and left websites either inaccessible or with slow-loading pages for some users.

But the attackers behind the DDoS, the origin of whom are still being investigated, did not have to do any sophisticated hacking to recruit their IoT devices. Finding vulnerable IoT devices wide open to the public Internet is easy.

Vikas Singla, co-founder and chief operating officer of stealth startup Securolytics, says his firm discovered that two basic factors contributed to the Mirai botnet's formation. First off, they found that some IoT devices, including webcams, routers, and DVRs, literally broadcast their model numbers and software version information when you connect to them online. "IoT devices tell you what they are … servers don't do that," notes Singla.

Securolytics, which provides scans for healthcare and financial services industry of IoT vulnerabilities in their networks, also found that IoT devices used in the Mirai botnet use just one popular IoT default credential: "root."

Mirai basically searches for telnet protocol availability, checks for default credentials, and when it finds a match, logs into those devices and uses them for DDoS'ing purposes. CCTV cameras are most often exploited by Mirai because many of these devices rely on default credentials. The botnet malware specifically controls the BusyBox software often found in IoT devices.

The Sept. 20 DDoS via Mirai on KrebsOnSecurity reached around 620 Gbps in size, which broke DDoS records in terms of power. The botnet malware's author later dumped the Mirai source code online.

Meanwhile, Dyn has confirmed that the DDoS attack came in three waves last Friday, and used tens of millions of IP addresses across different locations. "We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," Kyle York, Dyn's chief strategy officer wrote in a post.

Dyn said the DDoS campaign began at around 7:10 am Eastern and concluded around 1:45 pm Eastern.

While all's been quiet on the Mirai DDoS front since then, security experts say this was only the beginning for IoT-based botnet attacks.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Looking at the extreme end of the solution spectrum, the recent stories regarding GCHQ's call upon Internet Providers to rewrite systems to aid in preventing hacking attacks seems relevant right now. The idea of national firewalls, national Internet silos, and entirely re-written protocols makes one wonder how bad the cybersecurity ecosystem situation really is out there. For some of on the inside, we have a better idea but it's often still only a glimpse compared to what government agencies see. Would these re-writes of standards, protocols and software really do well in preventing large-scale cyber attacks? Is DDoS really the only reason to make such a call for change, or is that type of attack better made a thing of the past through less drastic changes? If BT and Virginia Media are going to work with government cyber-defense teams to rewrite Internet standards to restrict spoofing, is this the foot in the door of a gloabl revamp of the Internet? I know the Internet Service Providers Association (ISPA) is skeptical as they should be. Such a move could cost trillions of dollars, millions of hours of work and be brought to the floor with a single righteous hack after it's implemented. Measures noted in this article are alternate and logical ways to help on the small scale, but it keeps bringing into question: What do we do for the large-scale?

Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!

Published: 2017-05-09NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.